CVE-2026-33949

High CVSS: 8.1

Tina is a headless content management system. Prior to version 2.2.2, a path traversal vulnerability in @tinacms/graphql allows unauthenticated users to write and overwrite arbitrary files within the project root. This is achieved by manipulating the relativePath parameter in GraphQL mutations. The impact includes the ability to replace critical server configuration files and potentially execute arbitrary commands by sabotaging build script. This issue has been patched in version 2.2.2.

Vendor

Ssw

Product

Tinacms\/graphql

CWE

CWE-22

Yayın Tarihi

2026-04-01 17:28:39

Güncelleme

2026-04-07 19:17:35

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-22 Tinacms\/graphql HIGH Ssw 2026

Referanslar

https://github.com/tinacms/tinacms/security/advisories/GHSA-v9p7-gf3q-h779

Benzer Kayıtlar

High

CVE-2026-34603

Tina is a headless content management system. Prior to version 2.2.2, @tinacms/cli recently added lexical path-traversal…

High

CVE-2026-34604

Tina is a headless content management system. Prior to version 2.2.2, @tinacms/graphql uses string-based path containmen…

High

CVE-2026-28791

Tina is a headless content management system. Prior to 2.1.7, a path traversal vulnerability exists in the TinaCMS devel…

Critical

CVE-2026-28792

Tina is a headless content management system. Prior to 2.1.8 , the TinaCMS CLI dev server combines a permissive CORS con…

High

CVE-2026-28793

Tina is a headless content management system. Prior to 2.1.8, the TinaCMS CLI development server exposes media endpoints…

Medium

CVE-2026-29066

Tina is a headless content management system. Prior to 2.1.8, the TinaCMS CLI dev server configures Vite with server.fs.…